DevOps Stack Exchange is a question and answer site for software engineers working on automated testing, continuous delivery, service integration and monitoring, and building SDLC infrastructure. Join them; it only takes a minute:

In the processes of setting up continuous deployment for an open source project with Travis I came across a predicament, can the encrypted private key be easily exfilitrated? For context, the deployment workflow is:

In a Travis build job, build and test code

If it passes, deploy the code

Decrypt the encrypted private SSH key and start the SSH client

Push to the Git remote on the production server

Using travis encrypt-file deploy_rsa --add, the private key is encrypted and only decryptable within the Travis build job. Am I correct in the assumption that someone forking the repo and creating a Travis build job will not be able to decrypt the key? In addition, the only attack vector would be for someone with push rights to modify the .travis-ci script to decrypt the key and send it to themselves?

Whatever build system is used, scripts, even the code could exfil datas during unit tests, usually that's not a real concern on open source projects and/or build and deploy are separated. Some quality test of code (sonar/checkmark) can test for suspicious patterns also
– Tensibai♦Feb 18 '18 at 16:42